[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2017-3640)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Nov 14 06:20:58 PST 2017


Synopsis: ELSA-2017-3640 can now be patched using Ksplice
CVEs: CVE-2016-9191 CVE-2017-12192 CVE-2017-2618

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2017-3640.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel hang in directory entry invalidation race.

A race condition when calling d_invalidate() could result in a kernel
hang and then panic due to watchdog timeout.  A system under heavy I/O
load could become unresponsive and hang under specific conditions.


* CVE-2017-12192: Denial-of-service when reading negative key.

Invalid memory access when reading key negative from kernel key management
facility results in a crash. An unprivileged local user can exploit this
to cause denial-of-service.


* CVE-2016-9191: Denial-of-service when using sysctl concurrently.

A refcounting error in sysctl handling could lead to an infinite loop if
unregister_sysctl_table() is called concurrently with sysctl actions
from userspace. An attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-2618: Information leak in SELinux attribute handling.

An off-by-one error in SELinux attribute handling can cause sensitive
information to be leaked from the kernel. A local attacker could use
this flaw to facilitate an exploit.


* Task hang in virtual memory adjustment under load.

Incorrect locking could result in deadlock and a task hang when
adjusting virtual memory areas under system load.


* Infiniband failures with sendonly multicast joins.

Incorrect handling of sendonly multicast joins could result in
networking failures on Infiniband setups.

Orabug: 26324050

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.






More information about the El-errata mailing list